Cisco AnyConnect - RADIUS Challenge Support - Feature Request

Exsilium
Conversationalist

Cisco AnyConnect - RADIUS Challenge Support - Feature Request

To start with, I cant find the status of our Feature Request anywhere. Months ago we, along with CDW, put in a feature request to support RADIUS Challenge.

 

We migrated from ASA 5525-X to Meraki MX250 over the last year. One of the last items we have to migrate is our remote client VPN connections. While the MX supports AnyConnect, it does not support RADIUS Challenge. This prompts the user for the type of 2FA authentication they want, a Push, Text or Call.

 

This means we have had to leave the EoL ASA in place, in parallel to the MX, which obviously isnt ideal.

 

Additional item to consider is that we use ISE in the middle of all of this.

 

If anyone knows how to make this work, please let me know, or at least direct me to where I can find the status of our Feature Request.

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

>While the MX supports AnyConnect, it does not support RADIUS Challenge. This prompts the user for the type of 2FA authentication they want, a Push, Text or Call.

 

I don't know the answer - but interesting question.

 

Personally, I don't see much use for this feature anymore.  Everyone is changing over to SAML based authentication (instead of RADIUS).  Once you do that, AnyConnect uses a web page for authentication, and your SAML provider can display, ask or challenge in any way that it wants.

 

I did a Google and found several hits for "ISE" and "SAML", so it may be that ISE supports it.  Personally, I've done most of my SAML implementations using either Cisco DUO or Azure AD.

If you use Cisco Duo and have the "Beyond" plan you can also do a posture assessment at the same time.

 

And because SAML is SSO, once you authenticate using AnyConnect in this way, you are also automatically authenticated to every SAML app you use (Office 365, Salesforce, etc) so the user doesn't have to sign in again.

 

 

So maybe the question might not be when Cisco Meraki is adding support for a method that is dying out - but when you are modernizing your authentication method to what everyone is using .... 🙂

Exsilium
Conversationalist

I am investigating switching the system over to SAML, as well as removing ISE from the authentication process. I believe that was put in place (way before I started) because there was no 2FA solution in place at the time. It also adds the functionality of adding a DACL based on the user group... which... has its own benefits. Not sure if I want to give up that functionality or not.

 

 

CptnCrnch
Kind of a big deal
Kind of a big deal

ISE and MFA complement each other. With ISE, you have a wealth of functionality to authenticate users, and add a layer on top of that by using MFA.

Exsilium
Conversationalist

I know that 🙂 The problem is Meraki MX doesnt support RADIUS Challenge and we believe there is some problem with SAML+ISE+Meraki+DUO also.

PhilipDAth
Kind of a big deal
Kind of a big deal

I've done quite a few SAML+Meraki+Duo deployments and they work great.

 

Every Duo plan comes with Duo Central (cloud SAML) so there is nothing holding you back ...

PhilipDAth
Kind of a big deal
Kind of a big deal

What can ISE do that you can't do with SAML and Duo with regard to AnyConnect authentication?

Exsilium
Conversationalist

Right now we use ISE to apply a DACL to the session based on AD usergroup. For instance, restricting the admin subnet from non IT staff.

PhilipDAth
Kind of a big deal
Kind of a big deal

I can't say anything ... but watch this space for an announcement soon.

Trininox
Here to help

I was able to configure this with my Identity provider (Okta) so RADIUS automatically sends a push notification, but that is the extent of getting 2FA with RADIUS working.  The follow-up prompt as seen with ASA just doesn't exist in the Meraki implementation, just as the ability to deploy the AnyConnect client from the firewall is missing.  

 

SAML also worked as an option. 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication/AnyConnect_VPN_Okt...  there are other provider write ups as well. 

 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/AnyConnect_Troubleshooting_Guide/... 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels